⬆️ Updates @actions/core to v1.9.1 [SECURITY]#646
⬆️ Updates @actions/core to v1.9.1 [SECURITY]#646renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
Branch automerge failureThis PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.
|
|
🏷️ [bumpr] Next version:v1.14.1 Changes:v1.14.0...AlexRogalskiy:renovate/npm-actions-core-vulnerability |
|
Thanks for the PR! This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged. |
renovate
bot
force-pushed
the
renovate/npm-actions-core-vulnerability
branch
from
c795b02 to
e212728
Compare
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Scan Summary
| Tool | Critical | High | Medium | Low | Status |
|---|---|---|---|---|---|
| Dependency Scan (universal) | 3 | 21 | 9 | 0 | ❌ |
| Secrets Audit | 0 | 427 | 0 | 0 | ❌ |
Recommendation
Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-actions-core-vulnerability
branch
from
e212728 to
af2c976
Compare
There was a problem hiding this comment.
Scan Summary
| Tool | Critical | High | Medium | Low | Status |
|---|---|---|---|---|---|
| Secrets Audit | 0 | 426 | 0 | 0 | ❌ |
Recommendation
Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍
There was a problem hiding this comment.
Scan Summary
| Tool | Critical | High | Medium | Low | Status |
|---|---|---|---|---|---|
| Secrets Audit | 0 | 426 | 0 | 0 | ❌ |
Recommendation
Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍
This PR contains the following updates:
1.2.6→1.9.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2022-35954
Impact
The
core.exportVariablefunction uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to theGITHUB_ENVfile may cause the path or other environment variables to be modified without the intention of the workflow or action author.Patches
Users should upgrade to
@actions/core v1.9.1.Workarounds
If you are unable to upgrade the
@actions/corepackage, you can modify your action to ensure that any user input does not contain the delimiter_GitHubActionsFileCommandDelimeter_before callingcore.exportVariable.References
More information about setting-an-environment-variable in workflows
If you have any questions or comments about this advisory:
actions/toolkitRelease Notes
actions/toolkit (@actions/core)
v1.9.1core.exportVariablev1.9.0toPosixPath,toWin32PathandtoPlatformPathutilities #1102v1.8.2@actions/http-client#1087v1.8.1@actions/http-clientv1.8.0markdownSummaryextension export in favor ofsummaryv1.7.0markdownSummaryextensionv1.6.0getIDTokenfileparameter toAnnotationPropertiesv1.5.0v1.4.0getMultilineInputfunctionv1.3.0v1.2.7Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.